U.S. government rarely uses best cybersecurity steps: advisers

WASHINGTON (Reuters) - The U.S. government itself seldom follows the best cybersecurity practices and must drop its old operating systems and unsecured browsers as it tries to push the private sector to tighten its practices, technology advisers told President Barack Obama.

"The federal government rarely follows accepted best practices," the President's Council of Advisors on Science and Technology said in a report released on Friday. "It needs to lead by example and accelerate its efforts to make routine cyberattacks more difficult by implementing best practices for its own systems."

PCAST is a group of top U.S. scientists and engineers who make policy recommendations to the administration. William Press, computer science professor at the University of Texas at Austin, and Craig Mundie, senior adviser to the CEO at Microsoft Corp, comprised the cybersecurity working group.

The Obama administration this year stepped up its push for critical industries to bolster their cyber defenses, and Obama in February issued an executive order aimed at countering the lack of progress on cybersecurity legislation in Congress.

As part of the order, a non-regulatory federal standard-setting board last month released a draft of voluntary standards that companies can adopt, which it compiled through industry workshops.

But while the government urges the private sector to adopt such minimum standards, technology advisers say it must raise its own standards.

The advisers said the government should rely more on automatic updates of software, require better proof of identities of people, devices and software, and more widely use the Trusted Platform Module, an embedded security chip.

The advisers also said for swifter response to cyber threats, private companies should share more data among themselves and, "in appropriate circumstances" with the government. Press said the government should promote such private sector partnerships, but that sensitive information exchanged in these partnerships "should not be and would not be accessible to the government."

The advisers steered the administration away from "government-mandated, static lists of security measures" and toward standards reached by industry consensus, but audited by third parties.

The report also pointed to Internet service providers as well-positioned to spur rapid improvements by, for instance, voluntarily alerting users when their devices are compromised.